Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-28 Thread Dr. Stephen Henson
On Wed, Jan 28, 2015, Tom Francis wrote: > > Actually, I was thinking of the 1.x FIPS module, and OpenSSL 0.9.8, where > OpenSSL would prevent disallowed algorithms from being used, but only if you > used the EVP interfaces. You could, for example, invoke MD5 directly. Did > that change with 2.x

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-28 Thread Tom Francis
> On Jan 28, 2015, at 8:47 AM, Dr. Stephen Henson wrote: > > On Wed, Jan 28, 2015, jone...@teksavvy.com wrote: > >> On Mon, 26 Jan 2015 22:35:12 -0500 >> Tom Francis wrote: >> >> Thanks for the detailed comments. I understand the concerns, although >> there's one thing I do not see clearly,

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-28 Thread Steve Marquess
On 01/28/2015 08:31 AM, jone...@teksavvy.com wrote: > ... > >> We have not done any validations that satisfy the various new >> requirements introduced in late 2013 and early 2014. New validations >> are very expensive, in dollars, time, and grief, and we don't have the >> necessary financial back

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-28 Thread Dr. Stephen Henson
On Wed, Jan 28, 2015, jone...@teksavvy.com wrote: > On Mon, 26 Jan 2015 22:35:12 -0500 > Tom Francis wrote: > > Thanks for the detailed comments. I understand the concerns, although > there's one thing I do not see clearly, that is: > > > 2) Applications that don???t know they???re operating i

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-28 Thread jone...@teksavvy.com
On Mon, 26 Jan 2015 22:35:12 -0500 Tom Francis wrote: > This is a bad idea. It can generally be done, and it’s probably not > even too hard (for some uses, anyway). But it’s a bad idea. Here’s > why: Thanks for the detailed comments. I understand the concerns, although there's one thing I do

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-28 Thread jone...@teksavvy.com
On Tue, 27 Jan 2015 14:13:57 -0500 Steve Marquess wrote: > The user guide documents that correctly. For the OpenSSL FIPS Object > Module 2.0 (#1747) the FIPS mode of operation is enabled with > FIPS_mode_set(). There is no "library startup"; you keep confusing > past validations with new ones. O

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-27 Thread Steve Marquess
On 01/27/2015 11:09 AM, jonetsu wrote: > "Steve Marquess" wrote on 01/27/15 09:18: Thank > you (and Tom) for your comments - much appreciated. > >> Tom Francis nailed the answer to this one. We did design the FIPS >> module + "FIPS capable" OpenSSL combination to make it possible to >> have a syst

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-27 Thread jonetsu
"Steve Marquess" wrote on 01/27/15 09:18: Thank you (and Tom) for your comments - much appreciated. > Tom Francis nailed the answer to this one. We did design the FIPS module > + "FIPS capable" OpenSSL combination to make it possible to have a > system wide "FIPS mode" capability, but that presume

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-27 Thread Steve Marquess
On 01/26/2015 06:21 PM, jone...@teksavvy.com wrote: > On Fri, 16 Jan 2015 10:16:48 -0500 > Steve Marquess wrote: > >> On 01/15/2015 05:52 AM, Marcus Meissner wrote: > >>> On Linux usually triggered by /proc/sys/crypto/fips_enabled >>> containing "1" or the environment variable >>> OPENSSL_FORCE_

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-26 Thread Tom Francis
> On Jan 26, 2015, at 6:21 PM, jone...@teksavvy.com wrote: > > On Fri, 16 Jan 2015 10:16:48 -0500 > Steve Marquess wrote: > >> On 01/15/2015 05:52 AM, Marcus Meissner wrote: > >>> On Linux usually triggered by /proc/sys/crypto/fips_enabled >>> containing "1" or the environment variable >>> OPE

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-26 Thread jone...@teksavvy.com
On Fri, 16 Jan 2015 10:16:48 -0500 Steve Marquess wrote: > On 01/15/2015 05:52 AM, Marcus Meissner wrote: >> On Linux usually triggered by /proc/sys/crypto/fips_enabled >> containing "1" or the environment variable >> OPENSSL_FORCE_FIPS_MODE=1 (at least for the certs done by SUSE and >> Redhat,

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-16 Thread Steve Marquess
On 01/15/2015 05:52 AM, Marcus Meissner wrote: > On Thu, Jan 15, 2015 at 05:46:22AM -0500, jone...@teksavvy.com > wrote: >> On Tue, 13 Jan 2015 21:33:49 -0500 "jone...@teksavvy.com" >> wrote: >> >>> So basically every app that uses libssl will have to be modified >>> to add a FIPS_mode_set() call

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-15 Thread Marcus Meissner
On Thu, Jan 15, 2015 at 05:46:22AM -0500, jone...@teksavvy.com wrote: > On Tue, 13 Jan 2015 21:33:49 -0500 > "jone...@teksavvy.com" wrote: > > > So basically every app that uses libssl will have to be modified to > > add a FIPS_mode_set() call near the beginning. Is that right ? > > Is there a

Re: [openssl-users] Using FIPS mode and modifying apps

2015-01-15 Thread jone...@teksavvy.com
On Tue, 13 Jan 2015 21:33:49 -0500 "jone...@teksavvy.com" wrote: > So basically every app that uses libssl will have to be modified to > add a FIPS_mode_set() call near the beginning. Is that right ? Is there a way to automatically have the FIPS test executed when an application loads the libra

[openssl-users] Using FIPS mode and modifying apps

2015-01-13 Thread jone...@teksavvy.com
Hello, A system running in FIPS can have several applications using libssl. openvpn and openswan are two. There can be 3rd party web servers. So on. Is there any 'library magic' these days that would prevent modifying each and every application to add a FIPS_mode_set() call and error handling ?